Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ROPC Flow not working #7558

Open
2 tasks
macel94 opened this issue Feb 6, 2025 · 0 comments
Open
2 tasks

ROPC Flow not working #7558

macel94 opened this issue Feb 6, 2025 · 0 comments
Labels
bug-unconfirmed A reported bug that needs to be investigated and confirmed msal-node Related to msal-node package Needs: Attention 👋 Awaiting response from the MSAL.js team public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.

Comments

@macel94
Copy link

macel94 commented Feb 6, 2025
edited
Loading

Core Library

MSAL.js (@azure/msal-node)

Core Library Version

3.1.0

Wrapper Library

Not Applicable

Wrapper Library Version

2.0.0

Public or Confidential Client?

Public

Description

here i describe that in c# the same flow correctly works for MSAL with the same username and password for the same tenant for federated credentials: pnp/cli-microsoft365#6582

$securePsw = ($env:password | ConvertTo-SecureString -AsPlainText -Force)
Add-PowerAppsAccount -Endpoint prod -tenantId $env:TENANTID -Username $env:USERNAME -Password $securePsw

this works but requires Microsoft.PowerApps.Administration.PowerShell module that is windows-specific.

if i use the pac cli that is cross platform, the login perfectly works and i can do whatever i want with the cli but it doesn't have the option to "enable" or "disable" cloud flow for a specific power platform environment.

pac auth create -un $username -p $password --tenant $tenantId --accept-cleartext-caching

and that is precisely why i stumbled upon the m365 cli.

but only with your cli, with the same username and password and using the same appId for the same tenant(specifying the tenant or not doesn't change the result):

m365 login --authType password --userName $env:USERNAME --password $env:password

fails to login and gives back
Error(s): 50126 - Timestamp: 2025-01-31 09:30:14Z - Description: AADSTS50126: Error validating credentials due to invalid username or password.

this is also the actual c# code i used for a different use case, and it still works fine:

var authBuilder = PublicClientApplicationBuilder.Create(clientId)
                             .WithAuthority(AadAuthorityAudience.AzureAdMultipleOrgs)
                             .Build();
var scope = "https://service.powerapps.com//.default";
string[] scopes = [scope];

AuthenticationResult token =
   await authBuilder.AcquireTokenByUsernamePassword(scopes, usernameSecret.Value, passwordSecret.Value).ExecuteAsync();

// here we call https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments?%60$expand=permissions&api-version=2020-08-01 using the auth token
// because it's what the pac cli does and we want to use the same api in the same way for other purposes
HttpClient client = new();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token.AccessToken);
client.DefaultRequestHeaders.Add("Accept", "application/json");

var response = await client.GetAsync("https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments?%60$expand=permissions&api-version=2020-08-01");
var responseObj= await response.Content.ReadFromJsonAsync<EnvironmentsResponse>();

Error Message

fails to login and gives back
Error(s): 50126 - Timestamp: 2025-01-31 09:30:14Z - Description: AADSTS50126: Error validating credentials due to invalid username or password.

MSAL Logs

fails to login and gives back
Error(s): 50126 - Timestamp: 2025-01-31 09:30:14Z - Description: AADSTS50126: Error validating credentials due to invalid username or password.

Network Trace (Preferrably Fiddler)

  • Sent
  • Pending

MSAL Configuration

const axios = require('axios');
const msal = require('@azure/msal-node');

const PublicClientApplication = msal.PublicClientApplication;

const clientId = "51f81489-12ee-4a9e-aaae-a2591f45987d";
const username = "rofl";
const password = "yay";
const scope = "https://service.powerapps.com//.default";

const config = {
    auth: {
        clientId: clientId,
        authority: "https://login.microsoftonline.com/organizations"
    }
};

const pca = new PublicClientApplication(config);

const tokenRequest = {
    scopes: [scope],
    username: username,
    password: password,
};

pca.acquireTokenByUsernamePassword(tokenRequest)
    .then((response) => {
        const token = response.accessToken;
        console.log("Token acquired successfully:", token);

        const client = axios.create({
            headers: {
                'Authorization': `Bearer ${token}`,
                'Accept': 'application/json'
            }
        });

        client.get("https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments?%60$expand=permissions&api-version=2020-08-01")
            .then(response => {
                const responseObj = response.data;
                console.log("API Response:", responseObj);
            })
            .catch(error => {
                console.error("API Request Error:", error.response ? error.response.data : error.message);
            });
    })
    .catch(error => {
        console.error("Token Acquisition Error:", error);
    });

Relevant Code Snippets

const axios = require('axios');
const msal = require('@azure/msal-node');

const PublicClientApplication = msal.PublicClientApplication;

const clientId = "51f81489-12ee-4a9e-aaae-a2591f45987d";
const username = "rofl";
const password = "yay";
const scope = "https://service.powerapps.com//.default";

const config = {
    auth: {
        clientId: clientId,
        authority: "https://login.microsoftonline.com/organizations"
    }
};

const pca = new PublicClientApplication(config);

const tokenRequest = {
    scopes: [scope],
    username: username,
    password: password,
};

pca.acquireTokenByUsernamePassword(tokenRequest)
    .then((response) => {
        const token = response.accessToken;
        console.log("Token acquired successfully:", token);

        const client = axios.create({
            headers: {
                'Authorization': `Bearer ${token}`,
                'Accept': 'application/json'
            }
        });

        client.get("https://api.bap.microsoft.com/providers/Microsoft.BusinessAppPlatform/scopes/admin/environments?%60$expand=permissions&api-version=2020-08-01")
            .then(response => {
                const responseObj = response.data;
                console.log("API Response:", responseObj);
            })
            .catch(error => {
                console.error("API Request Error:", error.response ? error.response.data : error.message);
            });
    })
    .catch(error => {
        console.error("Token Acquisition Error:", error);
    });

Reproduction Steps

execute the provided code for a federated adfs saml user of a valid organization for which you want a jwt from an azure tenant

Expected Behavior

i should be able to login and obtain a valid jwt as it happens for the c# library with the same setup and username/password.

Identity Provider

Entra ID (formerly Azure AD) / MSA

Browsers Affected (Select all that apply)

None (Server)

Regression

No response
@macel94 macel94 added bug-unconfirmed A reported bug that needs to be investigated and confirmed question Customer is asking for a clarification, use case or information. labels Feb 6, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs: Attention 👋 Awaiting response from the MSAL.js team label Feb 6, 2025
@github-actions github-actions bot added msal-browser Related to msal-browser package public-client Issues regarding PublicClientApplications msal-node Related to msal-node package and removed msal-browser Related to msal-browser package labels Feb 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug-unconfirmed A reported bug that needs to be investigated and confirmed msal-node Related to msal-node package Needs: Attention 👋 Awaiting response from the MSAL.js team public-client Issues regarding PublicClientApplications question Customer is asking for a clarification, use case or information.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@macel94